fix(security): bump hono and @hono/node-server (ENG-14187 ENG-14188 ENG-14189 ENG-14193 ENG-14201 ENG-14202)

[andriy-sudo]

Vulnerability Fixes

Package	Old	New	Advisory	CVSS	Status
hono	4.7.5	4.12.12	GHSA-26pp-8wgv-hjvm	—	✅ Fixed
hono	4.7.5	4.12.12	GHSA-r5rp-j6wh-rvv4	—	✅ Fixed
hono	4.7.5	4.12.12	GHSA-wmmm-f939-6g9c	—	✅ Fixed
hono	4.7.5	4.12.12	GHSA-xf4j-xp2r-rqqx	—	✅ Fixed
hono	4.7.5	4.12.12	GHSA-xpcf-pg52-r92g	—	✅ Fixed
hono	4.7.5	4.12.12	GHSA-92pp-h63x-v22m	—	✅ Fixed

Fixes Linear tickets: ENG-14187, ENG-14188, ENG-14189, ENG-14193, ENG-14201, ENG-14202

Both hono and @hono/node-server are transitive dependencies — bumped via npm overrides in package.json.

Changelog impact summary

Package	Old	New	Classification	Key changes
hono	4.7.5	4.12.12	Patch/security	Multiple security advisories fixed; no breaking API changes in 4.x
@hono/node-server	≤1.19.12	1.19.14	Patch/security	Security fixes aligned with hono 4.12.12

[coderabbitai]

📝 Walkthrough

Walkthrough

The package.json file was updated to override dependency versions for the Hono framework and its Node.js server adapter. The changes include pinning hono to version 4.12.12 and @hono/node-server to version 1.19.13 in the dependency overrides section. The lodash entry was preserved with minor formatting adjustments. No other dependencies, scripts, or configuration entries were modified.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: bumping hono and @hono/node-server for security fixes, with relevant ticket references.
Description check	✅ Passed	The description is directly related to the changeset, providing detailed vulnerability information, version changes, and affected Linear tickets.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch andriy/ENG-14189-fix-hono-4.12.12

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

package.json (2)

60-61: Prefer exact pins (not caret ranges) for security override entries.

For security remediations, exact override pins are more reproducible and easier to audit than floating ranges.

Suggested hardening

-    "hono": "^4.12.12",
-    "@hono/node-server": "^1.19.13"
+    "hono": "4.12.12",
+    "@hono/node-server": "1.19.14"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 60 - 61, The package.json currently lists floating
caret ranges for the security overrides; change the dependencies "hono" and
"@hono/node-server" from caret ranges to exact pins by replacing "^4.12.12" with
"4.12.12" and "^1.19.13" with "1.19.13" respectively so the security override
entries are reproducible and auditable (update any lockfile afterward via your
package manager).

---

61-61: Consider using exact version pins for security-critical dependencies.

The override ^1.19.13 currently resolves to 1.19.14 in the lockfile, which aligns with the PR objective. However, for security-critical overrides, exact version pins (e.g., 1.19.14 instead of ^1.19.13) improve reproducibility and ensure the precise patched version is always installed without relying on version resolution logic.

Suggested improvement

-    "@hono/node-server": "^1.19.13"
+    "@hono/node-server": "1.19.14"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 61, Change the caret version for the security-critical
override to an exact pinned release for reproducible installs: replace the
dependency spec "@hono/node-server": "^1.19.13" with the exact patched version
used in the lockfile (e.g., "1.19.14"), update the lockfile by running your
package manager (npm/yarn/pnpm) so it records the exact version, and ensure any
CI install steps use the lockfile to guarantee the pinned version is installed;
reference the "@hono/node-server" override entry when making this change.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@package.json`:
- Around line 60-61: The package.json currently lists floating caret ranges for
the security overrides; change the dependencies "hono" and "@hono/node-server"
from caret ranges to exact pins by replacing "^4.12.12" with "4.12.12" and
"^1.19.13" with "1.19.13" respectively so the security override entries are
reproducible and auditable (update any lockfile afterward via your package
manager).
- Line 61: Change the caret version for the security-critical override to an
exact pinned release for reproducible installs: replace the dependency spec
"@hono/node-server": "^1.19.13" with the exact patched version used in the
lockfile (e.g., "1.19.14"), update the lockfile by running your package manager
(npm/yarn/pnpm) so it records the exact version, and ensure any CI install steps
use the lockfile to guarantee the pinned version is installed; reference the
"@hono/node-server" override entry when making this change.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d3cd3660-96aa-4114-89af-ffee80362fd9

📥 Commits

Reviewing files that changed from the base of the PR and between 5fcfdc7 and 56d7f84.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json

[andriy-sudo]

@colriot — SPOC review request. Reviewer assignment API returned empty (team-access-only repo). Please review and approve when ready.